From tibbs at math.uh.edu Sat Sep 2 03:43:46 2006 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: Fri, 01 Sep 2006 22:43:46 -0500 Subject: fedora-security/audit fc5,1.308,1.309 fc6,1.54,1.55 In-Reply-To: <200609020334.k823YKiT005087@cvs-int.fedora.redhat.com> (Josh Bressers's message of "Fri, 1 Sep 2006 20:34:20 -0700") References: <200609020334.k823YKiT005087@cvs-int.fedora.redhat.com> Message-ID: >>>>> "JB" == Josh Bressers <(bressers) > writes: JB> Modified Files: fc5 fc6 Log Message: Note some new PHP CVE ids. FC6 seems to have PHP 5.1.6 now, so should these: +CVE-2006-4486 VULNERABLE (php, fixed 5.1.6) +CVE-2006-4485 VULNERABLE (php, fixed 5.1.5) +CVE-2006-4484 ignore (php, fixed 5.1.5) +CVE-2006-4482 VULNERABLE (php, fixed 5.1.5) be listed as fixed? - J< From bressers at redhat.com Sat Sep 2 04:01:36 2006 From: bressers at redhat.com (Josh Bressers) Date: Sat, 02 Sep 2006 00:01:36 -0400 Subject: fedora-security/audit fc5,1.308,1.309 fc6,1.54,1.55 In-Reply-To: References: <200609020334.k823YKiT005087@cvs-int.fedora.redhat.com> Message-ID: <200609020401.k8241aQl016130@devserv.devel.redhat.com> > >>>>> "JB" == Josh Bressers <(bressers) > writes: > > JB> Modified Files: fc5 fc6 Log Message: Note some new PHP CVE ids. > > FC6 seems to have PHP 5.1.6 now, so should these: > > +CVE-2006-4486 VULNERABLE (php, fixed 5.1.6) > +CVE-2006-4485 VULNERABLE (php, fixed 5.1.5) > +CVE-2006-4484 ignore (php, fixed 5.1.5) > +CVE-2006-4482 VULNERABLE (php, fixed 5.1.5) > > be listed as fixed? That's what any sane person would think :) The file is a snapshot of FC6, in this case it's a snapshot of FC6 Test 2. Since FC6 Test 2 contained php 5.1.4, we mark them vulnerable. Once Test 3 comes out we'll look through the file again. -- JB From sundaram at fedoraproject.org Mon Sep 11 05:50:29 2006 From: sundaram at fedoraproject.org (Rahul) Date: Mon, 11 Sep 2006 11:20:29 +0530 Subject: Red Hat and NIST colloboration on security Message-ID: <4504F925.20704@fedoraproject.org> Hi http://www.irishdev.com/NewsArticle.aspx?id=3797 Is this work being done on Fedora too for both core and extras? Rahul From bugzilla at redhat.com Thu Sep 14 15:18:51 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 11:18:51 -0400 Subject: [Bug 201688] Clam AntiVirus Win32-UPX Heap Overflow In-Reply-To: Message-ID: <200609141518.k8EFIpZ1004733@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Clam AntiVirus Win32-UPX Heap Overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201688 ------- Additional Comments From lkundrak at skosi.org 2006-09-14 11:18 EST ------- CVE-2006-4018 This is already fixed in 0.88.4. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 19:40:26 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 15:40:26 -0400 Subject: [Bug 206510] New: CVE-2006-2658: xsp directory traversal vulnerability Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206510 Summary: CVE-2006-2658: xsp directory traversal vulnerability Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: xsp AssignedTo: paul at all-the-johnsons.co.uk ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com xsp/mod_mono has reportedly a directory traversal vulnerability, see http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2658 Information about this is pretty scarce, but it should be investigated whether this applies to the FE xsp/mod_mono packages in addition to SuSE products. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 19:47:14 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 15:47:14 -0400 Subject: [Bug 206514] New: CVE-2006-4743: wordpress information disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206514 Summary: CVE-2006-4743: wordpress information disclosure Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: wordpress AssignedTo: jwb at redhat.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Another information (path?) disclosure vulnerability reported against wordpress: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4743 It is not clear to me whether this is an actual security issue in the FE (4, 5, devel) package, but it should be investigated. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 19:53:43 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 15:53:43 -0400 Subject: [Bug 206516] New: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516 Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: high Priority: normal Component: moodle AssignedTo: imlinux at gmail.com ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com Moodle 1.6.1 and earlier are reportedly vulnerable to: - cross site scripting (CVE-2006-4784) - SQL injection (CVE-2006-4785) - sensitive information disclosure (CVE-2006-4786) FE-4, FE-5 and devel apparently affected. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 20:22:03 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 16:22:03 -0400 Subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities In-Reply-To: Message-ID: <200609142022.k8EKM3Mr007501@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516 ------- Additional Comments From tibbs at math.uh.edu 2006-09-14 16:21 EST ------- At this time I'm having difficulty verifying that the 1.5.4 release is vulnerable. Secunia is still saying 1.6.x, and that other versions may be vulnerable. Moodle.org doesn't have anything to say about the matter other than the 1.6.2 release indicating security fixes. (The 1.5 branch is still maintained, but shows no related changes.) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 20:42:47 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 16:42:47 -0400 Subject: [Bug 206510] CVE-2006-2658: xsp directory traversal vulnerability In-Reply-To: Message-ID: <200609142042.k8EKglPl009465@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2658: xsp directory traversal vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206510 paul at all-the-johnsons.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From paul at all-the-johnsons.co.uk 2006-09-14 16:42 EST ------- I've looked at this report and by the looks of it, yes the FE xsp/mod_mono will come under the same umberella (built from the same sources). I've asked on the mono-developers list if there is a patch available and if there is, I shall apply it quickly. Could you please advise what to do in the meantime? Should I put an advisory out on the FE list alerting people to the issue? -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 20:47:48 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 16:47:48 -0400 Subject: [Bug 206510] CVE-2006-2658: xsp directory traversal vulnerability In-Reply-To: Message-ID: <200609142047.k8EKlm1F010305@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2658: xsp directory traversal vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206510 ------- Additional Comments From tibbs at math.uh.edu 2006-09-14 16:47 EST ------- I wouldn't go so far as to send an advisory. This is currently classified as a low-risk vulnerability so I'd suggest simply patching it ASAP. You may be able to extract the fix from the SUSE package if you can find it. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 20:54:57 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 16:54:57 -0400 Subject: [Bug 206510] CVE-2006-2658: xsp directory traversal vulnerability In-Reply-To: Message-ID: <200609142054.k8EKsva7011268@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-2658: xsp directory traversal vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206510 paul at all-the-johnsons.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |NOTABUG ------- Additional Comments From paul at all-the-johnsons.co.uk 2006-09-14 16:54 EST ------- Just been advised that it only relates to the 1.1.14 version of mod_mono not 1.1.17 (which is packaged for both FE5 and rawhide) Closing the bug. Thanks for the advice :-) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 14 21:05:16 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 17:05:16 -0400 Subject: [Bug 206514] CVE-2006-4743: wordpress information disclosure In-Reply-To: Message-ID: <200609142105.k8EL5Gap012149@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4743: wordpress information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206514 ------- Additional Comments From tmraz at redhat.com 2006-09-14 17:04 EST ------- This is a bogus CVE reported against nonexistent 2.0.5 version of wordpress. (Probably a 2.0.1 version actually.) 2.0.4 is not vulnerable. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Sep 15 01:22:41 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 21:22:41 -0400 Subject: [Bug 206514] CVE-2006-4743: wordpress information disclosure In-Reply-To: Message-ID: <200609150122.k8F1MfCo027713@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4743: wordpress information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206514 jwb at redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |NOTABUG ------- Additional Comments From jwb at redhat.com 2006-09-14 21:22 EST ------- Agreed - this looks like it's a repeat of an earlier vulnerability. Closing this NOTABUG. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Sep 15 02:33:31 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 22:33:31 -0400 Subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities In-Reply-To: Message-ID: <200609150233.k8F2XVtv031734@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516 imlinux at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From imlinux at gmail.com 2006-09-14 22:33 EST ------- I'll keep my eye open as well, I'll probably just update for update's sake though there's some patches I don't fully understand being applied to that packge. (new maintainer) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Fri Sep 15 03:31:01 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 14 Sep 2006 23:31:01 -0400 Subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities In-Reply-To: Message-ID: <200609150331.k8F3V1Aj003558@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516 ------- Additional Comments From tibbs at math.uh.edu 2006-09-14 23:30 EST ------- Let me know if you need assistance. I have some experience with Moodle but no longer use it here; I updated the package previously to deal with a security issue but I have little interest in maintaining it in the long term. I admit to being confused by the patches as well; I understand what they're doing but I don't really understand why they need to be applied. And of course there's no documentation. I'm beginning to think that we should require that all patches have at least a line of comment in the spec file indicating what they change and why they need to be applied. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From mjc at redhat.com Mon Sep 25 10:28:23 2006 From: mjc at redhat.com (Mark J Cox) Date: Mon, 25 Sep 2006 11:28:23 +0100 (BST) Subject: FC6 In-Reply-To: <200609231118.58884.jkeating@redhat.com> References: <0609151010220.16368@dell1.moose.awe.com> <200609231118.58884.jkeating@redhat.com> Message-ID: <0609251124030.28231@dell1.moose.awe.com> On Sat, 23 Sep 2006, Jesse Keating wrote: > For lack of a better process, I'd say each known (public) issue gets a > bugzilla and blocks FC6Blocker . Here is what I've marked FC6Blocker today. Seems sensible to get these fixed before we release especially as the issues are all old. CVE-2006-4624 VULNERABLE (mailman, fixed 2.1.9rc1) bz#206607 [FC6Blocker] CVE-2006-4226 VULNERABLE (mysql, fixed 5.0.25,5.1.12) bz#203428 [FC6Blocker] CVE-2006-4227 VULNERABLE (mysql, fixed 5.0.25,5.1.12) bz#203434 [FC6Blocker] CVE-2006-4031 VULNERABLE (mysql, fixed 5.0.24) bz#202675 [FC6Blocker] CVE-2006-3636 VULNERABLE (mailman, fixed 2.1.9) bz#206607 [FC6Blocker] CVE-2006-2941 VULNERABLE (mailman, fixed 2.1.9) bz#206607 [FC6Blocker] The following were vulnerable in Test3 but are fixed in dist-fc6 as of today: CVE-2006-4790 VULNERABLE (gnutls, fixed 1.4.4) [backported to 1.4.1-2 in rawhide] CVE-2006-4571 VULNERABLE (thunderbird, fixed 1.5.0.7) [in rawhide] CVE-2006-4571 VULNERABLE (firefox, fixed 1.5.0.7) [in rawhide] CVE-2006-4570 VULNERABLE (thunderbird, fixed 1.5.0.7) [in rawhide] CVE-2006-4569 VULNERABLE (firefox, fixed 1.5.0.7) [in rawhide] CVE-2006-4568 VULNERABLE (firefox, fixed 1.5.0.7) [in rawhide] CVE-2006-4567 VULNERABLE (firefox, fixed 1.5.0.7) [in rawhide] CVE-2006-4567 VULNERABLE (thunderbird, fixed 1.5.0.7) [in rawhide] CVE-2006-4566 VULNERABLE (firefox, fixed 1.5.0.7) [in rawhide] CVE-2006-4566 VULNERABLE (thunderbird, fixed 1.5.0.7) [in rawhide] CVE-2006-4565 VULNERABLE (firefox, fixed 1.5.0.7) [in rawhide] CVE-2006-4565 VULNERABLE (thunderbird, fixed 1.5.0.7) [in rawhide] CVE-2006-4538 VULNERABLE (kernel, fixed after 2.6.18-rc6) CVE-2006-4340 VULNERABLE (nss, fixed 3.11.3) bz#206608 [in rawhide] CVE-2006-4338 VULNERABLE (gzip) [in rawhide] CVE-2006-4337 VULNERABLE (gzip) [in rawhide] CVE-2006-4336 VULNERABLE (gzip) [in rawhide] CVE-2006-4335 VULNERABLE (gzip) [in rawhide] CVE-2006-4334 VULNERABLE (gzip) [in rawhide] CVE-2006-4253 VULNERABLE (firefox, fixed 1.5.0.7) [in rawhide] CVE-2006-4253 VULNERABLE (thunderbird, fixed 1.5.0.7) [in rawhide] CVE-2006-3740 VULNERABLE (libXfont, fixed 1.2.2) bz#206609 [in rawhide] CVE-2006-3739 VULNERABLE (libXfont, fixed 1.2.2) bz#206609 [in rawhide] Which leaves the following which are the issues that are not fixed upstream for whatever reason: CVE-2006-4561 VULNERABLE (firefox) CVE-2006-4261 VULNERABLE (firefox) CVE-2006-2894 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=56236 CVE-2006-0496 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=324253 CVE-2005-4809 VULNERABLE (firefox) CVE-2005-3675 VULNERABLE (kernel) optack, no upstream fix CVE-2003-1265 VULNERABLE (firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 CVE-2003-1265 VULNERABLE (thunderbird) https://bugzilla.mozilla.org/show_bug.cgi?id=198442 From bugzilla at redhat.com Tue Sep 26 18:22:17 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Tue, 26 Sep 2006 14:22:17 -0400 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200609261822.k8QIMHaO026573@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 ville.skytta at iki.fi changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Keywords| |Reopened Resolution|NEXTRELEASE | ------- Additional Comments From ville.skytta at iki.fi 2006-09-26 14:22 EST ------- Looks like some additional closely related issues were found after the 2006-07-05 hotfix, FE-3 and FE-4 seem affected: http://www.vuxml.org/freebsd/65a8f773-4a37-11db-a4cc-000a48049292.html http://www.zope.org/Products/Zope/Hotfix-2006-08-21/Hotfix-20060821/README.txt -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Sep 27 19:05:04 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Sep 2006 15:05:04 -0400 Subject: [Bug 208299] New: CVE-2006-4976: php-adodb information disclosure Message-ID: Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208299 Summary: CVE-2006-4976: php-adodb information disclosure Product: Fedora Extras Version: fc5 Platform: All URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4976 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: php-adodb AssignedTo: gauret at free.fr ReportedBy: ville.skytta at iki.fi QAContact: extras-qa at fedoraproject.org CC: extras-qa at fedoraproject.org,fedora-security- list at redhat.com CVE-2006-4976: The Date Library in John Lim ADOdb Library for PHP allows remote attackers to obtain sensitive information via a direct request for [...] There's not much information about this issue (?) available at the moment. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Sep 27 19:14:45 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Sep 2006 15:14:45 -0400 Subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities In-Reply-To: Message-ID: <200609271914.k8RJEjpI000859@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516 ------- Additional Comments From ville.skytta at iki.fi 2006-09-27 15:14 EST ------- More issues reported mostly against 1.6.1 and earlier or 1.6.2 and earlier: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4943 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4942 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4941 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4940 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4939 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4938 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4937 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4936 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4935 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Sep 27 19:31:27 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Sep 2006 15:31:27 -0400 Subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities In-Reply-To: Message-ID: <200609271931.k8RJVRGM002002@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516 ------- Additional Comments From imlinux at gmail.com 2006-09-27 15:31 EST ------- Actually I'd really appreciate that, I haven't had time to sit down and really look at what the patches do. I took this from ignacio because I felt it was important enough to make sure it was maintained and because no one else wanted it :D. tibbs: If you have some time and can help me out, by all means have at it. I'm not against removing the patches to see what happens, people may not even be using them. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Wed Sep 27 20:36:05 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 27 Sep 2006 16:36:05 -0400 Subject: [Bug 206516] CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities In-Reply-To: Message-ID: <200609272036.k8RKa5r4007385@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4784, CVE-2006-4785, CVE-2006-4786: moodle multiple vulnerabilities https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206516 ------- Additional Comments From tibbs at math.uh.edu 2006-09-27 16:36 EST ------- As far as I can tell, none of the CVEs in comment #4 apply to moodle 1.5.4. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From duytan_it_hut at yahoo.com Thu Sep 28 09:35:32 2006 From: duytan_it_hut at yahoo.com (duytan dao) Date: Thu, 28 Sep 2006 02:35:32 -0700 (PDT) Subject: How to use Xinet to start another services which are not running. Message-ID: <20060928093532.89118.qmail@web51503.mail.yahoo.com> Hi experts! I have some questions need to answer, I hope there is someone will spend a little time to anwser my questions. 1. If Services which was demanded (requested daemons), is not running, It will start or restart by Xinetd ? 2. Does Xinetd have ability to start or restart another services(daemon) which terminated or not running. ? Could you help me? Waiting for your reply, Best regards ! Dao Duy Tan Information Systems - Faculty of Information Technology Hanoi University of Technology High Performance Computing Center Office : 306 Hitech - Hanoi University of Technology Office number: 84-04-8682355 Handphone :84-912972799 --------------------------------- Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bugzilla at redhat.com Thu Sep 28 14:28:27 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 28 Sep 2006 10:28:27 -0400 Subject: [Bug 208299] CVE-2006-4976: php-adodb information disclosure In-Reply-To: Message-ID: <200609281428.k8SESRMl012152@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-4976: php-adodb information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208299 ------- Additional Comments From gauret at free.fr 2006-09-28 10:28 EST ------- I've asked the author about this. He wasn't warned. http://phplens.com/lens/lensforum/msgs.php?id=15890 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 28 17:13:07 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 28 Sep 2006 13:13:07 -0400 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200609281713.k8SHD7C7026530@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 ------- Additional Comments From gauret at free.fr 2006-09-28 13:12 EST ------- I have no FC3 or FC4 box available, so I can't test it. On top of that, FC4 is not supported anymore, so I guess it's more of a job for Legacy. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 28 19:52:51 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 28 Sep 2006 15:52:51 -0400 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200609281952.k8SJqpA3006668@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 ------- Additional Comments From tibbs at math.uh.edu 2006-09-28 15:52 EST ------- Why would this be a job for Legacy? They've never handled Extras packages, nor do they intend to. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla at redhat.com Thu Sep 28 20:28:40 2006 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Thu, 28 Sep 2006 16:28:40 -0400 Subject: [Bug 198106] CVE-2006-3458: Zope local information disclosure In-Reply-To: Message-ID: <200609282028.k8SKSe4c008784@bugzilla.redhat.com> Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-3458: Zope local information disclosure https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=198106 ------- Additional Comments From gauret at free.fr 2006-09-28 16:28 EST ------- I thought this has been discussed at some point. OK, I'm willing to add the hotfix, but someone needs to test the package on those distros -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.